MalwareSourceCode/Win32/Proof of Concepts/ProcessDoppelgänging/processrefund/ntdefs.h

340 lines
8.5 KiB
C
Raw Normal View History

2022-04-12 01:00:13 +00:00
#pragma once
#include <Windows.h>
#include <KtmW32.h>
#include <lmerr.h>
#include <winternl.h>
#define RTL_MAX_DRIVE_LETTERS 32
#define RTL_USER_PROC_PARAMS_NORMALIZED 0x00000001
typedef struct _UNICODE_STRING_DWORD64
{
WORD Length;
WORD MaximumLength;
DWORD64 Buffer;
} UNICODE_STRING64, STRING64, *PSTRING64;
struct _LIST_ENTRY_DWORD64
{
DWORD64 Flink;
DWORD64 Blink;
};
typedef struct _CURDIR_64
{
UNICODE_STRING64 DosPath;
UINT64 Handle;
} CURDIR64, *PCURDIR64;
typedef struct _RTL_DRIVE_LETTER_CURDIR_64
{
WORD Flags;
WORD Length;
ULONG TimeStamp;
STRING64 DosPath;
} RTL_DRIVE_LETTER_CURDIR64, *PRTL_DRIVE_LETTER_CURDIR64;
typedef struct _RTL_USER_PROCESS_PARAMETERS_64
{
ULONG MaximumLength;
ULONG Length;
ULONG Flags;
ULONG DebugFlags;
UINT64 ConsoleHandle;
ULONG ConsoleFlags;
UINT64 StandardInput;
UINT64 StandardOutput;
UINT64 StandardError;
CURDIR64 CurrentDirectory;
UNICODE_STRING64 DllPath;
UNICODE_STRING64 ImagePathName;
UNICODE_STRING64 CommandLine;
UINT64 Environment;
ULONG StartingX;
ULONG StartingY;
ULONG CountX;
ULONG CountY;
ULONG CountCharsX;
ULONG CountCharsY;
ULONG FillAttribute;
ULONG WindowFlags;
ULONG ShowWindowFlags;
UNICODE_STRING64 WindowTitle;
UNICODE_STRING64 DesktopInfo;
UNICODE_STRING64 ShellInfo;
UNICODE_STRING64 RuntimeData;
RTL_DRIVE_LETTER_CURDIR64 CurrentDirectores[32];
ULONG EnvironmentSize;
} RTL_USER_PROCESS_PARAMETERS64, *PRTL_USER_PROCESS_PARAMETERS64;
typedef struct _CURDIR
{
UNICODE_STRING DosPath;
HANDLE Handle;
} CURDIR, *PCURDIR;
typedef struct _RTL_DRIVE_LETTER_CURDIR
{
USHORT Flags;
USHORT Length;
ULONG TimeStamp;
UNICODE_STRING DosPath;
} RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR;
typedef struct my_RTL_USER_PROCESS_PARAMETERS
{
ULONG MaximumLength;
ULONG Length;
ULONG Flags;
ULONG DebugFlags;
HANDLE ConsoleHandle;
ULONG ConsoleFlags;
HANDLE StandardInput;
HANDLE StandardOutput;
HANDLE StandardError;
CURDIR CurrentDirectory;
UNICODE_STRING DllPath;
UNICODE_STRING ImagePathName;
UNICODE_STRING CommandLine;
PVOID Environment;
ULONG StartingX;
ULONG StartingY;
ULONG CountX;
ULONG CountY;
ULONG CountCharsX;
ULONG CountCharsY;
ULONG FillAttribute;
ULONG WindowFlags;
ULONG ShowWindowFlags;
UNICODE_STRING WindowTitle;
UNICODE_STRING DesktopInfo;
UNICODE_STRING ShellInfo;
UNICODE_STRING RuntimeData;
RTL_DRIVE_LETTER_CURDIR CurrentDirectories[RTL_MAX_DRIVE_LETTERS];
ULONG_PTR EnvironmentSize;
ULONG_PTR EnvironmentVersion;
PVOID PackageDependencyData;
ULONG ProcessGroupId;
ULONG LoaderThreads;
} my_RTL_USER_PROCESS_PARAMETERS, *my_PRTL_USER_PROCESS_PARAMETERS;
typedef struct _PROCESS_BASIC_INFORMATION64 {
NTSTATUS ExitStatus;
UINT32 Reserved0;
UINT64 PebBaseAddress;
UINT64 AffinityMask;
UINT32 BasePriority;
UINT32 Reserved1;
UINT64 UniqueProcessId;
UINT64 InheritedFromUniqueProcessId;
} PROCESS_BASIC_INFORMATION64;
typedef struct _PEB64
{
union
{
struct
{
BYTE InheritedAddressSpace;
BYTE ReadImageFileExecOptions;
BYTE BeingDebugged;
BYTE BitField;
};
DWORD64 dummy01;
};
DWORD64 Mutant;
DWORD64 ImageBaseAddress;
DWORD64 Ldr;
DWORD64 ProcessParameters;
DWORD64 SubSystemData;
DWORD64 ProcessHeap;
DWORD64 FastPebLock;
DWORD64 AtlThunkSListPtr;
DWORD64 IFEOKey;
DWORD64 CrossProcessFlags;
DWORD64 UserSharedInfoPtr;
DWORD SystemReserved;
DWORD AtlThunkSListPtr32;
DWORD64 ApiSetMap;
DWORD64 TlsExpansionCounter;
DWORD64 TlsBitmap;
DWORD TlsBitmapBits[2];
DWORD64 ReadOnlySharedMemoryBase;
DWORD64 HotpatchInformation;
DWORD64 ReadOnlyStaticServerData;
DWORD64 AnsiCodePageData;
DWORD64 OemCodePageData;
DWORD64 UnicodeCaseTableData;
DWORD NumberOfProcessors;
union
{
DWORD NtGlobalFlag;
DWORD dummy02;
};
LARGE_INTEGER CriticalSectionTimeout;
DWORD64 HeapSegmentReserve;
DWORD64 HeapSegmentCommit;
DWORD64 HeapDeCommitTotalFreeThreshold;
DWORD64 HeapDeCommitFreeBlockThreshold;
DWORD NumberOfHeaps;
DWORD MaximumNumberOfHeaps;
DWORD64 ProcessHeaps;
DWORD64 GdiSharedHandleTable;
DWORD64 ProcessStarterHelper;
DWORD64 GdiDCAttributeList;
DWORD64 LoaderLock;
DWORD OSMajorVersion;
DWORD OSMinorVersion;
WORD OSBuildNumber;
WORD OSCSDVersion;
DWORD OSPlatformId;
DWORD ImageSubsystem;
DWORD ImageSubsystemMajorVersion;
DWORD64 ImageSubsystemMinorVersion;
DWORD64 ActiveProcessAffinityMask;
DWORD64 GdiHandleBuffer[30];
DWORD64 PostProcessInitRoutine;
DWORD64 TlsExpansionBitmap;
DWORD TlsExpansionBitmapBits[32];
DWORD64 SessionId;
ULARGE_INTEGER AppCompatFlags;
ULARGE_INTEGER AppCompatFlagsUser;
DWORD64 pShimData;
DWORD64 AppCompatInfo;
struct _UNICODE_STRING_DWORD64 CSDVersion;
DWORD64 ActivationContextData;
DWORD64 ProcessAssemblyStorageMap;
DWORD64 SystemDefaultActivationContextData;
DWORD64 SystemAssemblyStorageMap;
DWORD64 MinimumStackCommit;
DWORD64 FlsCallback;
struct _LIST_ENTRY_DWORD64 FlsListHead;
DWORD64 FlsBitmap;
DWORD FlsBitmapBits[4];
DWORD64 FlsHighIndex;
DWORD64 WerRegistrationData;
DWORD64 WerShipAssertPtr;
DWORD64 pContextData;
DWORD64 pImageHeaderHash;
DWORD64 TracingFlags;
DWORD64 CsrServerReadOnlySharedMemoryBase;
} PEB64;
typedef
NTSTATUS(WINAPI *pfnNtWow64QueryInformationProcess64)
(HANDLE ProcessHandle, UINT32 ProcessInformationClass,
PVOID ProcessInformation, UINT32 ProcessInformationLength,
UINT32* ReturnLength);
typedef
NTSTATUS(WINAPI *pfnNtWow64ReadVirtualMemory64)
(HANDLE ProcessHandle, PVOID64 BaseAddress,
PVOID BufferData, UINT64 BufferLength,
PUINT64 ReturnLength);
typedef
NTSTATUS(WINAPI *pfnNtQueryInformationProcess)
(HANDLE ProcessHandle, ULONG ProcessInformationClass,
PVOID ProcessInformation, UINT32 ProcessInformationLength,
UINT32* ReturnLength);
typedef NTSTATUS(NTAPI *NtResumeThread)(
_In_ HANDLE ThreadHandle,
_Out_opt_ PULONG SuspendCount
);
typedef NTSTATUS(NTAPI *my_NtQueryInformationProcess)(
IN HANDLE ProcessHandle,
IN PROCESSINFOCLASS ProcessInformationClass,
OUT PVOID ProcessInformation,
IN ULONG ProcessInformationLength,
OUT PULONG ReturnLength OPTIONAL
);
typedef NTSTATUS(NTAPI *my_NtWow64QueryInformationProcess64)
(
IN HANDLE ProcessHandle,
IN ULONG ProcessInformationClass,
OUT PVOID ProcessInformation64,
IN ULONG Length,
OUT PULONG ReturnLength OPTIONAL
);
typedef NTSTATUS(NTAPI *RtlCreateProcessParametersEx)(
_Out_ my_PRTL_USER_PROCESS_PARAMETERS *pProcessParameters,
_In_ PUNICODE_STRING ImagePathName,
_In_opt_ PUNICODE_STRING DllPath,
_In_opt_ PUNICODE_STRING CurrentDirectory,
_In_opt_ PUNICODE_STRING CommandLine,
_In_opt_ PVOID Environment,
_In_opt_ PUNICODE_STRING WindowTitle,
_In_opt_ PUNICODE_STRING DesktopInfo,
_In_opt_ PUNICODE_STRING ShellInfo,
_In_opt_ PUNICODE_STRING RuntimeData,
_In_ ULONG Flags // pass RTL_USER_PROC_PARAMS_NORMALIZED to keep parameters normalized
);
typedef NTSTATUS(NTAPI *NtCreateThreadEx)(
OUT PHANDLE hThread,
IN ACCESS_MASK DesiredAccess,
IN LPVOID ObjectAttributes,
IN HANDLE ProcessHandle,
IN LPTHREAD_START_ROUTINE lpStartAddress,
IN LPVOID lpParameter,
IN BOOL CreateSuspended,
IN DWORD StackZeroBits,
IN DWORD SizeOfStackCommit,
IN DWORD SizeOfStackReserve,
OUT LPVOID lpBytesBuffer
);
typedef NTSTATUS(NTAPI *NtCreateSection)(
_Out_ PHANDLE SectionHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_opt_ PLARGE_INTEGER MaximumSize,
_In_ ULONG SectionPageProtection,
_In_ ULONG AllocationAttributes,
_In_opt_ HANDLE FileHandle
);
typedef NTSTATUS(NTAPI *NtCreateProcessEx)
(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN HANDLE ParentProcess,
IN ULONG Flags,
IN HANDLE SectionHandle OPTIONAL,
IN HANDLE DebugPort OPTIONAL,
IN HANDLE ExceptionPort OPTIONAL,
IN BOOLEAN InJob
);
typedef VOID (NTAPI *my_RtlInitUnicodeString)(
_Out_ PUNICODE_STRING DestinationString,
_In_opt_ PCWSTR SourceString
);
typedef POBJECT_ATTRIBUTES(NTAPI *BaseFormatObjectAttributes)(OUT POBJECT_ATTRIBUTES ObjectAttributes,
IN PSECURITY_ATTRIBUTES SecurityAttributes OPTIONAL,
IN PUNICODE_STRING ObjectName,
OUT PDWORD NumberOfBytes);
//
// NtCreateProcessEx flags
//
#define PS_REQUEST_BREAKAWAY 1
#define PS_NO_DEBUG_INHERIT 2
#define PS_INHERIT_HANDLES 4
#define PS_UNKNOWN_VALUE 8
#define PS_ALL_FLAGS PS_REQUEST_BREAKAWAY |PS_NO_DEBUG_INHERIT |PS_INHERIT_HANDLES | PS_UNKNOWN_VALUE